With the Office of Civil Rights (OCR) increasing its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts, covered entities should familiarize themselves with some of the most common HIPPA violations. In 2016, the OCR collected a record-setting $25 million in HIPPA fines, greatly surpassing the previous record of $7.4 million in 2014.
So, when you’re a primary care physician, surgeon, dentist, healthcare specialist or any other covered entity, you should avoid the following 7 HIPPA violations.
Lost or Stolen Devices
Lost or stolen devices are the number one reason for medical data breaches affecting more than 500 individuals. Under HIPAA, covered entities are required to implement physical, technical, and administrative safeguards to prevent the unauthorized access of Protected Health Information (PHI). If PHI is stored on a laptop or smartphone, those safeguards must be implemented on the respective device.
In 2014, Concentra Health Services agreed to pay more than $1.7 million as part of a resolution to settle HIPAA violations stemming from a stolen laptop. After conducting an investigation, the OCR concluded that Concentra failed to “manage its identified lack of encryption,” nor did it document why encryption was not implemented. This occurred as a result of a single stolen laptop containing unencrypted Electronic Protected Health Information (e-PHI).
Improper Disposal of PHI
Whether paper or electronic, you must dispose of PHI in a manner that makes it indecipherable and unrecoverable. Tossing a patient’s medical file in the trash, for instance is not appropriate. There have been dozens of cases in which the COR has cited covered entities for improper disposal of PHI.
In 2012, Cornell Prescription Pharmacy agreed to pay $125,000 for improper disposal of PHI. Investigators determined the pharmacy had tossed documents containing protected information (PI) in the dumpster. And just one year later, CVS – the largest pharmacy chain in the United States – agreed to pay $2.25 million as part of a resolution agreement for tossing PJHI in publicly accessible dumpsters.
So, what methods of PHI disposal are acceptable under HIPAA? The United States Department of Health & Human Services (HHS) does not require any specific methods of disposal. Rather, it allows covered entities to choose their own methods, as long as it completely destroys the PHI so it cannot be reconstructed or otherwise deciphered.
Acceptable methods of disposal for e-PHI include purging with a strong magnet, physically destroying the media, or cleaning the media using software or hardware utilities. For paper PHI, acceptable methods of disposal including pulverizing, incinerating, burning, or shredding.
Non-HIPAA Compliant Cloud Service Provider (CSP)
Cloud computing and cloud storage services have become increasingly popular among professional healthcare providers. Rather than storing patient data locally, providers are able to store it on a remote server (the cloud). This mitigates the risk of lost data, while allowing employees to access it from any Internet-connected computer.
But if you’re thinking about partnering up with a cloud service provider, you should choose one that’s HIPAA-compliant. HHS requires all covered entities to enter into a business associates agreement (BAA) when using a CSP. If the CSP is not willing to enter into a BAA, you cannot transfer or otherwise give them access to your practice’s PHI.
Not Performing Regular Risk Analyses
As part of the HIPAA Security Rule, covered entities are required to perform a risk analysis to determine the likelihood of a data breach involving e-PHI, also known as a risk assessment. This assessment is intended to identify potential risks and vulnerabilities to e-PHI.
Recently, Advocate Health Care was slapped with a $5.5 million fine for failing to perform accurate and thorough risk analyses of its practices. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) was also cited for failure to conduct regular risk analyses – among other violations – for which it paid $1.5 million.
Some elements required in a risk analysis include:
- Location of e-PHI
- Documentation of potential threats and vulnerabilities
- Assessment of your practice’s current security measures
- Likelihood of threat occurrence
- Level of risk
- Finalized documentation
Encryption is a tricky subject in regards to HIPAA compliance. Neither the Security Rule, nor any other rule, specifically requires covered entities to encrypt e-PHI. Nonetheless, failure to do so may attract an audit and subsequent penalties. Encryption is considered an “addressable” specification, meaning covered entities are only required to implement it if it reduces the risk of an e-PHI data breach. Here is the catch: encryption will always reduce the risk of data breaches, as it renders sensitive data unusable without the decryption key. If you lose a laptop containing encrypted e-PHI, the risk of an unauthorized user accessing the data is low. But if you lose a laptop with unencrypted e-PHI the risk is significantly higher.
Unauthorized Third-Party Disclosure
Dozens of covered entities have been fined for unauthorized disclosure of PHI to third parties. Generally speaking, covered entities should only disclose a patient’s PHI to other individuals and organizations when it is helpful in facilitating treatment, payment, or other healthcare operations. For all other disclosures, a written consent form is required.
If a patient’s friend comes into your practice requesting an update on the patient, for instance, you must seek a written consent form before disclosing any PHI – assuming the disclosure is not being used to facilitate treatment, payment, or healthcare options. When deciding whether a consent form is required, it is best to err on the side of caution and use on.
Not Training Employees
Another all-too-common HIPPA violation is the failure to train employees on HIPAA compliance requirements. Even if you are familiar with the nuances in HIPAA law, perhaps your employees are not. HIPAA requires all covered entities to provide training to their employees, and failure to provide this training could leave the practice open to fines and other enforcement penalties.
Employee training is not a one-time requirement. Under, HIPAA, covered entities must train all existing and new employees on HIPAA law, as well as providing a refresher course periodically. There is no specific time for these refresher courses, though most healthcare organizations offer annual training to their employees.
As a covered entity, you should be aware of these common HIPAA violations so you do not have adverse action taken against you, such as a fine or being placed on a corrective action plan.